I have a PDF file that has been digitally signed with a PKCS #12 certificate. Is there a way to get the MD5 or SHA1 hash of the orginal PDF file contents excluding the embedded certificate?

What I am trying to do is generate a PDF file. Send it to a user to sign and return back. I want to make sure that the signed copy is the exact copy of the original that was sent to the user to sign. Options.

Option 1:
1. Get hash of PDF file contents before sending it out to user to sign.
2. Get hash of the PDF file contents of the signed PDF to compare to has in step one to verify integrity.

Option 2:
1. Sign PDF file with my digital signature before sending out to user to sign.
2. Returned signed copy from user should have user signature and my signature. Validate my signature with CA to confirm integrity.

Specifics of the PDF format make your task a non-trivial one. Most of (not to say all) the PDF signing tools invalidate the structure of original document. This is mainly caused by the way the signature is added to the document -- the signing application has to add a number of new signature-related objects to the document, invalidating all the possible hashes that could have been calculated before. Besides, PDF format supports so-called incremental update method, which allows one to modify the document by appending new revisions of the object to the end of the file (and thus keeping the original piece of the file intact, so the hashes are not changed).

A better solution would be to calculate a hash of the document locally and ask user to only sign this hash. Once you received signed hash back from a user, you can use it to form a signature blob and place it to the document.

I like your idea but unfortunately I am required to show the user exactly what they are signing at the time the signature is applied. There will be a slight legal liability for us if we don't show them and if we are applying the user's signature for them or even applying the signature blob as you suggested.

I think my best option at this point is to require two signatures on the document as outlined in Option 2. I digitally sign the PDF before sending it out if anything changes then it would invalidate my signature therefore flagging a data integrity issue.

As far as I know a PDF document can have more than one digital signature applied right?

Yes, Option 2 would be the best choice then. Please note that you should use MDP (certification) signature type when signing the document on your side. This will prevent the user from introducing malicious modifications to the document with the use of incremental update method. Remember to add the sacFillInForms flag to the TElPDFSignature.AllowedChanges flag set when signing the document, as the user's signature will invalidate your one otherwise.

We use cookies to help provide you with the best possible online experience. By using this site, you agree that we may store and access cookies on your device. You can find out more about and set your own preferences here.